Mac users can expect more OS X botnets, drive-by downloads, and mass malware from here on out. That's according to security researchers from Kaspersky Lab, who said during a press conference on Thursday morning that anti-malware software is now a necessity for Mac users, and that "Mac OS X invulnerability is a myth."

The firm acknowledged that malware for the Mac has existed for years but only recently started gaining more momentum thanks to a critical increase in Mac market share. In the case of Flashback (also known as Flashfake), the malware morphed from a socially engineered installation app to an attack that targeted an unpatched Java vulnerability. So far, it has been used to hijack search results—a technique often used in click fraud scams—but the attackers have the ability to employ the malware tactic of their choice on a machine at any time as long as it remains infected.

(It's worth noting that Kaspersky says the latest Flashback infection was spread via hijacked WordPress sites thanks to a vulnerability in the blog software. This means that trusted blogs visited by Mac users could have been used to spread the infection, debunking the myth that infections only happen by visiting shady websites or opening unidentified files.)

Kaspersky and other researchers still aren't sure exactly who's behind Flashback, but speculate that the perpetrators are only going after small financial gains given their behavior patterns. "The exploit distribution URLs that we are aware of have only targeted Mac users," says Kaspersky Lab analyst Kurt Baumgartner. "These factors limit the operational and technical needs of a financially motivated cybercrime gang."

The firm says the number of Flashback infections has plummeted to about 30,000 in recent days—a bit lower than Symantec's 140,000 estimate from Wednesday, and quite a bit lower than the almost 700,000 who were infected as of April 6. (See graph at the top of this post.) But 30,000 is still a fairly large number, and Kaspersky warns that Mac users can no longer rest easy on the belief that they are (or were ever) immune to these kinds of attacks.

The firm did acknowledge that Apple is moving toward a more controlled Mac ecosystem with the introduction of Gatekeeper in OS X 10.8 (Mountain Lion), expected to be released this summer. Using GateKeeper, Mac users will be able to tightly control which sources apps can be installed from, theoretically making the platform safer from downloadable malware attacks—at least for less experienced users. But Kaspersky predicted we're going to see a "cat and mouse game" between Apple and attackers, and emphasized that conscientious Mac users should get on the antivirus software bandwagon before it's too late.

Apple did not immediately respond to requests for comment on Kaspersky's statements.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

Half joking. Of course this is going to become a bigger issue but I want to wait and see if it's just going to be for users that don't update their Macs. I'm guess either way that Apple will provide the role of getting rid of malicious software rather than expect third parties to do it for them.

I wanted to type a long response, but it turns out I can summarize it in just one word: Duh.

Indeed. This has been debunked how many times now?

On the other hand, anti-malware software vendors typically been as slow to respond to Mac threats as Apple itself. If you'd been running every malware-protection program in existence during the Flashback scare, the only way they might have protected you is by cumulatively stealing enough resources to make the Mac unusable.

I do think part of the problem is people (including those who write for the technology press) who can't distinguish between "not quite as vulnerable as people on unpatched copies of Windows 98" and "completely invulnerable".

While people may scoff that a security firm that puts out AV software is telling people to buy AV software, in reality, it's these companies that are doing much of the legwork in tracking security exploits and vulnerabilities in computer ecosystems. So they're precisely the people who'd put out these kinds of reports, lest that discredits them.

"Hovering around... XP SP1 in terms of security"? Jeremy - you need to add some substance to that comment if you don't want to be dismissed as a troll.

As for the "Mac OSX invulnerability to malware myth", the only time I ever hear that is as a straw man from security firms. Apple had an advert which used the carefully-worded claim that Macs could not be infected by Windows viruses, but I don't take that as a claim of invulnerability to malware (and it was just an advert from about five years ago).

In any event, not being immune to malware does equate to the requirement for on-access AV scanning. Certainly not Kaspersky's - its Flashback removal tool was withdrawn because it did more damage than the Flashbask malware.

Anyone, even an outright MAC Bigot that operates under the premise that macs are immune to malware is a bigger moron than we the ability to measure currently... Market share was the savior, that is the case no more... Get on the happy bus, get protected.

It's so obviously self-serving for them to say this only the extreme fan boys are taking this at face value.

There are ongoing Windows threats right now that are much worse than this one for Macs. Why is no one reporting on it? Because it's the status quo for Windows to be insecure - even all patches and AV installed.

I do think part of the problem is people (including those who write for the technology press) who can't distinguish between "not quite as vulnerable as people on unpatched copies of Windows 98" and "completely invulnerable".

OS X is probably hovering around Windows XP SP1 in terms of security. They're going to be forced to clean things up, just like Microsoft was.

How do you come to that conclusion?

MacOS X and Linux are both potentially vulnerable to the same sort of malware, but that is only a subset of what Windows XP was vulnerable to. Every operating system is vulnerable to being exploited, so anyone who wants to believe otherwise is kidding themselves.

The challenge is always going to be how to prevent the average user from shooting themselves in the foot. How do you prevent them doing this, while not taking away their freedoms? The App store will probably help, but if a user decides to install an application as a root user from a dodgy site, then there isn't much you can do.

Stepping into the real world, how do you educate a user to what is a fake bank note and which is real? The issues are the same in IT.

But Kaspersky predicted we're going to see a "cat and mouse game" between Apple and attackers, and emphasized that conscientious Mac users should get on the antivirus software bandwagon before it's too late.

OS X is probably hovering around Windows XP SP1 in terms of security. They're going to be forced to clean things up, just like Microsoft was.

How do you come to that conclusion?

MacOS X and Linux are both potentially vulnerable to the same sort of malware, but that is only a subset of what Windows XP was vulnerable to. Every operating system is vulnerable to being exploited, so anyone who wants to believe otherwise is kidding themselves.

The challenge is always going to be how to prevent the average user from shooting themselves in the foot. How do you prevent them doing this, while not taking away their freedoms? The App store will probably help, but if a user decides to install an application as a root user from a dodgy site, then there isn't much you can do.

Stepping into the real world, how do you educate a user to what is a fake bank note and which is real? The issues are the same in IT.

The only myth here is that any sane OS X user really believed that their computer was ever invulnerable to malware.Another AV vendor's sales pitch, disguised as security "analysis".

A myth that is somehow been true of EVERY SINGLE OS X user I have ever known. They've told me they liked their system because it was immune and never ran anti-virus software of any kind. So I hope these people are right because honestly I don't really see OSX as being much better than Windows 7 at this point. Being told it's sooooooo much more secure just makes me laugh at people. It might be less of a target, but these people like I said, assume they're immune. Not much of a myth to that. (not that everyone is like that obviously)

The fact that a security firm that sells anti-virus software has to come out and state such a thing, and that online magazines have to publish articles about it, testifies to the built-in security you get with Macs, Unix, Linux, etc. compared to Windows. While the real "Duh" for Windows users is to get AV software, the issue is not so clear anywhere else.

Obviously there are security holes in any system as complex as an operating system, there always will be, and OS X is no exception. BUT... going from over 600k infections to about 50k in a WEEK? With nothing but a system update? And it was cut in half days before the system update was even available... That is a remarkable success, and if I were a malware author, I would be looking for easier pickings that weren't able to reduce my infected base by 90% with very little effort.

Well if Apple ever wanted a solid reason to convince Mac users to use the Mac App store (which has been far less successful than the IOS one), they now have it.

You're right on.

Attempts to screen downloads in browsers or with plugins are only the beginning. The dozen-or-so warnings that typically come with downloading a file... including built-in browser messages like "this publisher couldn't be verified" and "This file is not often downloaded and could put you at risk" and all the myriad warnings that come with third-party toolbars and anti-virus software... are just going to be summed up from now on as "This is not from the official app store, and could blow up your family so you're on your own, sucka"

The only time I've heard "Macs are invulnerable to malware" in the last, oh, four years, is when people are trying to debunk it. (Often those people are representing firms that sell security software.) I haven't heard anyone say they think Macs are invulnerable, just people claiming that other people think that Macs are invulnerable.

Even if you wanted to secure a mac with tools like AV, they just aren't there in terms of ease of management, or reliability.

I test every year or two with our vender's Mac solutions... make the system near unusable. Stupid things like adding .5-1 sec of lag to the cursor in photoshop / illustrator are the usual. I had one see the Quark license file as a threat (it wasn't wrong, but I didn't enjoy re-serializing it). ProTools becomes completely unusable. Nothing like mid-recording have it throw DAE errors because it wants to constantly scan.

I would rather risk infections, It would cause far fewer problems than the 'cure'.

Anyone, even an outright MAC Bigot that operates under the premise that macs are immune to malware is a bigger moron than we the ability to measure currently... Market share was the savior, that is the case no more... Get on the happy bus, get protected.

Not to let facts get in the way too much but Mac OS 9 had way more security problems with vastly less marketshare and users. Why? Because of the architecture.

You are obviously the "bigger moron" here for not understanding this at all. Does marketshare play a role? Perhaps a small amount. But I've made several small applications for Windows and Macs. On Macs I have to work within security restrictions to change things on the system outside my application. On Windows? I can do anything I want to the system. That's not a marketshare issue, that's an architecture issue.

If it were only a marketshare issue then why would Microsoft be changing their policies and recommendations to be more like Mac and Linux (the most obvious one being not to run as Administrator/root).

The only people I have EVER heard say this are people who quite obviously are not OS X users. Even in light of this latest brouhaha I still see it this way:

1.No operating system is 100% SECURE.

2. There is a distinct difference between SAFETY and SECURITY. And OS X is one of the safest computing platforms in existence.

3. I still see no reason to run AV software that A) slows down my machine, B) may create all type of incompatibilities and conflicts with other software, and C) only protects me against yesterday's exploits and not tomorrow's which is where the real threat lies.

I've used OS X for over a decade now and have yet to come across a single instance of malware on any of my machine's. Does malware for OS X exist? Certainly. Is it widespread enough for me to lose any sleep over it? Not so much.